So I think if we're to use Supertokens at this point we're left with Hasura webhook authentication, where we would authenticate API clients with API keys which we issue and manage, and validate JWTs issued by Supertokens for human users, bridging each case into the appropriate headers Hasura needs in order to identify the user.